Last month, the general manager of a mid-sized Turkish manufacturer received an unexpected request: a European client had added a new clause to their supplier agreement, requiring documented proof of GDPR compliance. The manager forwarded the issue to the IT director, who responded that this was not a technical problem — it required a corporate decision. That short exchange captures the most important signal that the EU General Data Protection Regulation (GDPR), taking effect in May 2018, is sending to Turkish businesses: data protection is no longer a back-office IT concern, it is a management responsibility.
GDPR applies to any organization that processes personal data of individuals residing in the European Union, regardless of where that organization is based. A company operating in Istanbul or Ankara is fully within scope if it handles data belonging to EU citizens — through direct sales, supplier relationships, or digital services. The penalty framework is deliberately severe: administrative fines of up to four percent of annual global turnover or 20 million euros, whichever is higher. These figures shift data protection from a line item in the IT budget to a core element of enterprise risk management.
Turkey already has its own data protection legislation in the form of the Personal Data Protection Law (KVKK), which has been in force since 2016. However, GDPR introduces requirements that go beyond KVKK in several areas: maintaining detailed records of processing activities, mandatory breach notification within 72 hours, the right to erasure, data protection impact assessments for high-risk processing, and in certain cases the appointment of a Data Protection Officer (DPO). Assuming that KVKK compliance automatically satisfies GDPR is a risk calculation error that regulators will not accept.
For companies running ERP and CRM systems, the implications are direct. Customer records, employee files, supplier contacts, order histories, and payment references all potentially qualify as personal data under GDPR’s broad definition. Achieving compliance requires first mapping where personal data lives within the system, who has access to it, how long it is retained, and under what legal basis it is processed. This exercise — commonly called a data inventory or data mapping — is the foundation of any credible compliance program. Without it, issuing a compliance declaration is not just premature; it is itself a liability.
On the cybersecurity side, GDPR introduces the principle of ‘privacy by design,’ which means that data protection measures must be embedded into system architecture from the outset rather than added as an afterthought. Access controls, encryption, audit logging, and breach detection mechanisms move from optional best practices to regulatory requirements. For companies using cloud-based ERP or CRM platforms, this extends to the service provider: the absence of a signed Data Processing Agreement (DPA) with the vendor can itself constitute a violation, regardless of how secure the underlying system is.
The point that many executives overlook is that GDPR compliance is not a project with a completion date — it is an ongoing operational discipline. A one-time audit report or a consultant’s gap analysis is not sufficient. Organizations must establish processes for regular staff training on data handling, periodic testing of breach response procedures, review of third-party contracts, and evaluation of software updates from a compliance perspective. For a mid-sized company, sustaining this level of operational discipline often exceeds the capacity of an existing IT team. This is where external legal counsel, specialized consultants, or a part-time DPO arrangement becomes a practical necessity rather than a luxury.
For decision-makers assessing where to start, three questions provide a useful framework. First, does your organization process personal data of EU residents — directly through sales or services, or indirectly through the supply chain? Second, within your ERP and related systems, where is personal data stored, who can access it, and how long is it retained? Third, if a data breach occurred tonight, does your organization have a documented process to notify the relevant supervisory authority within 72 hours? If any of these questions cannot be answered with confidence, the compliance gap is not technical — it is organizational. That is precisely the structural shift GDPR enforces: data protection belongs on the first page of the board agenda, not in the appendix of an IT audit report.
This article was originally written in Turkish by Gökhan MERCANOĞLU on January 8, 2018 and has been automatically translated into English and other languages using machine translation.